System and method for determining location of rogue wireless access point

ABSTRACT

Described are a method and system for determining a location of an unauthorized wireless access point (“AP”) accessing a communication network. The system may include at least three authorized wireless devices and a computing arrangement generating a tracking data record. The tracking record includes a location of each of the at least three authorized wireless devices and strength data corresponding to strengths of signals of the unauthorized AP as measured by each of the at least three authorized wireless devices. The computing arrangement determines the location of the unauthorized AP as a function of the tracking record.

PRIORITY CLAIM

The present application is a continuation of a U.S. patent applicationSer. No. 10/699,257 filed Oct. 31, 2003, entitled “System and Method forDetermining Location of Rogue Wireless Access Point”. The entiredisclosure of the prior application, is considered as being part of thedisclosure of the accompanying application and is hereby expresslyincorporated by reference herein.

BACKGROUND INFORMATION

With the proliferation of wireless networks, many organizations (e.g.,enterprises, universities, hospitals, etc.) have installed or areplanning to install wireless networks in additional or, in alternative,to wired networks. Such wireless networks are believed to increaseefficiency and productivity. However, one of disadvantages of wirelessnetworks is security of such networks. Unlike wired networks, which areusually enclosed in secure and protected premisses of the organization,elements of wireless networks (e.g., wireless access points [“AP”]) maybe scattered throughout the organization's premises.

One major threat to wireless network security is a rogue AP. A rogue APis an unauthorized AP that allows a third party to access theorganization's network without a permission of the organization. Forinstance, a rogue AP may be installed with malicious intentions (e.g.,to obtain access to the organization's data stored on the network).Another example of utilization of a rogue AP is a less threateningscenario: a member of the organization (e.g., an employee) may connect arogue AP to the organization's network without a proper authorization.In other words, the employee may be authorized to use the organization'snetwork, but the use of that particular AP may be unauthorized. Thissituation may occur, for example, if the employee decided to use hispersonal AP for more convenient access to the organization's network. Ifthe AP is not properly configured to provide a secure access toauthorized users, then unauthorized users using compatible hardware mayalso gain access to the network. This may be of particular concern whenthe AP covers a physical area outside of the organization's premises.Then, unauthorized users may access the network without physicallyentering the organization's premises.

To address the threat of a rogue AP, the network administrator monitorsthe traffic on the network. Once a rogue AP is detected, however, theproblem is to locate this rogue AP so that it can be removed. Findingthe rogue AP may be a difficult task as the AP may be hidden anywhere inthe organization's premises. For example, the rogue AP may be hiddenunder ceilings or behind walls. There is, therefore, a need for a systemand method that determines a particular location of a rogue AP withgreat accuracy (e.g., within two feet) within the organization'spremises.

SUMMARY OF THE INVENTION

Described are a method and system for determining a location of anunauthorized wireless access point (“AP”) accessing a communicationnetwork. Upon notification of existence of the unauthorized AP, at leastthree authorized APs of the communication network initiate tracking abeacon of the unauthorized AP.

A tracking data record is generated partially based on informationobtained during the tracking of the tracking beacon. The tracking recordmay include a location of each of the authorized APs and at least one of(i) a first strength data corresponding to a strength of the trackingbeacon as measured by each of the authorized APs and (ii) a first timedata corresponding to a time period that it takes for the trackingbeacon to arrive at each of the authorized APs. The location of theunauthorized AP is determined as a function of at least one of (i) thetracking record and (ii) a calibrating record. The calibrating recordmay include (a) at least one of a second strength data corresponding toa strength of a calibrating beacon as transmitted from a predeterminedlocation within the communication network and received by each of theauthorized APs and a second time data corresponding to a time periodthat it takes for the calibrating beacon to arrive from thepredetermined location to each of the authorized AP, (b) thepredetermined location and (c) the location of each of the authorizedAP.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows an exemplary embodiment of a system according to thepresent invention; and

FIG. 2 shows an exemplary embodiment of a method according to thepresent invention.

DETAILED DESCRIPTION

FIG. 1 shows an exemplary embodiment of a wireless network and, inparticular, a wireless local area network (“WLAN”) 100 according to thepresent invention. The WLAN 100 may include a plurality of authorizedaccess points (“AP”s) 10, 20 and 30. The WLAN 100 may also include aplurality of authorized mobile units MUs (e.g., MU 1-5) and at least oneserver (e.g., a server 70). The APs 10-30 may be connected directly tothe server 70. The WLAN 100 includes a database 82 storing dataregarding authorized devices, authorized users, locations of the WLAN'sassets, etc. The database 82 may also include identification informationabout devices that are specifically prohibited from accessing the WLAN100.

The MU 1 accesses various assets of the WLAN 100 via the APs 10-30.Depending where the MU 1 is located at a particular time, the MU 1 mayaccess the WLAN 100 via the closest AP. Every AP periodically transmitsbeacon signals which may be used to determine the closest AP. Forexample, the MU 1 may determine that the AP 20 is the closest AP.Therefore, the MU 1 establishes wireless communication with the WLAN 100via the AP 20, rather than via the AP 10 or the AP 30.

If the user of the MU 1 attempts to access the server 70, the MU 1 firstwaits for a communication channel to the AP 20 to be available. Once thecommunication channel is available, the MU 1 transmits an authenticationmessage to the AP 20 requesting an access to the WLAN 100. Theauthentication message may contain user's identification data (e.g.,login name and password). When the AP 20 receives the authenticationmessage from the MU 1, it initiates an authentication process. Theauthentication process may include verification of the identificationdata received from the user against the data stored in the database 82.If the identification data is not verified, then the MU 1 is deniedaccess to the WLAN 100. However, if the identification data is verified,then the AP 20 transmits a corresponding response authorizing the MU 1to access the WLAN 100. Once the MU 1 receives authorization, the MU 1may access the WLAN 100 via the AP 20. For example, the user of the MU 1may then access the server 70.

An unauthorized user may desire to obtain access to the WLAN 100, and inparticular, to the server 70 utilizing an unauthorized, or rogue, AP 60.The rogue AP 60 may be configured to check its resident database beforeapproving an access to the WLAN 100. The resident database of the AP 60,configured by the unauthorized user may contain, for example, a loginname and/or password of the unauthorized user. Alternatively, the rogueAP 60 may be configured to approve an access without verifying theidentification data from the authentication message. The rogue AP 60 maythen provide access to the WLAN 100 by a rogue MU 6.

The unauthorized user may use the MU 6 to access the server 70 via therogue AP 60. The MU 6 transmits an authentication message to the rogueAP 60, which is configured by the unauthorized user to allow the MU 6 toaccess the WLAN 100. The unauthorized user may gain access to the server70 by logging in in the same manner as the authorized user.

FIG. 2 shows a method according to an exemplary embodiment of thepresent invention utilized to determine the location of the rogue AP 60with great accuracy (e.g., within two feet). Such location, or aspecific area within which the rough AP 60 may be located, may bedetermined in relationship to another know object or location (e.g.,within a three feet radius of a printer in Mr. Smith's Alex's office; ina reception area—near a door, etc.). The method is described withreference to FIG. 1. Those skilled in the art will understand that othersystems having varying configurations, for example, different numbers ofAPs, WLANs or MUs may be used to implement the exemplary method.

In step 110, the rogue AP 60 is detected and identified as anunauthorized AP. A person skilled in the art will understand that thedetection of the rogue AP 60 may be accomplished in a variety of ways.For example, the network administrator may monitor the traffic on theWLAN 100 using a sniffer program to detect any rogue APs.

Another method of detecting the rogue AP 60 may involve beacon signals.These beacons are periodically transmitted by every AP. The beaconsignal may contain information including a MAC address of thetransmitting AP, a service set identification (“SSID”), supported datarates, etc. The MAC address is an identifier assigned by themanufacturer and hence it is utilized as a manufacturer identificationof the AP. The SSID identifies a virtual local area network (“VLAN”)that is served by a particular WLAN. The VLAN may encompass a singleWLAN (e.g., WLAN 100) or a plurality of WLANs. Conversely, the WLAN 100may serve a plurality of VLANs and a particular AP beacon, from an APassociated with the WLAN 100, contain a list of SSIDs.

Based on the information stored in the beacon signals, a determinationis made as to whether the beacon signal received is from an authorizedor unauthorized AP. This may be determined based on two exemplarycriteria. These criteria may be used alternatively or in conjunction todetermine if the particular AP is unauthorized. Those skilled in the artwould understand that there may be a plurality of other criteria used tomake such determination.

The first exemplary criteria is based upon a verification of themanufacturer identification of the MAC address of the transmitting AP.The data stored in the beacon signal is compared to the data stored onthe database 82, which contains data of the authorized APs.

The second exemplary criteria is based upon a verification using theSSID stored in the beacon signal against the authorized SSIDs stored inthe database 82. If this criteria is utilized, the network administratoror another authorized user may generate a list of valid SSIDs.Therefore, if the rogue AP 60 is manufactured by an authorizedmanufacturer but the SSID in the beacon is invalid, then the presence ofthe rogue AP 60 is detected. Those skilled in the art will understandthat the network administrator may also insert other codes into thebeacons of the authorized APs that may be used to identifyauthorized/unauthorized APs.

In step 120, once a determination is made that the beacon is receivedfrom the unauthorized rogue AP 60, a “set trap” procedure is initiated.The “set trap” procedure creates a data record of information that maybe useful for tracking the rogue AP 60. Such a data record may include,for example, the MAC and SSID addresses of the AP 10, as well as the MACand SSID addresses of the rogue AP 60. The data record may also includethe time and date when the data record was created and the criteria usedto detect the rogue AP 60 (e.g., unverified manufacturers MAC address,no matching SSID, etc.).

After the “set trap” procedure has been initiated, AP's that aresituated within a predetermined proximity to the rogue AP 60 (i.e.,those AP's that detected the rogue AP) are instructed to track beaconsignals emanating from the rogue AP 60. For instance, assuming that allAPs 10-30 detect the rogue AP 60, all APs 10-30 also track the signalsof the detected rogue AP 60.

The physical location of the rogue AP 60 may be determine by utilizingReceived Signal Strength Indication (“RSSI” measured in dBm) data and/orDifference in Time Of Arrival (“DTOA” measured in ns) data as discussedin more detail below. While either the DTOA data or the RSSI data alonemay be sufficient to calculate the location of the rogue AP 60. It ispreferred that both of the sets of data are used in order to provide themost accurate calculation of the rogue AP 60 's location.

Prior to the set trap procedure, a calibration procedure needs to beperformed, if RSSI is to be utilized. The calibration procedure isoptional for DTOA. The calibration procedure may be accomplished byplacing a computing device (e.g., MU 4 or any AP) at a number ofparticular locations within the WLAN 100 (i.e., a landmark). Thelandmark may be a reception area, a publication room, a storage room, aserver room, etc. During the calibration procedure calibration data,such as shown below, is generated. Calibration Table AP 10 AP 20 AP 30Reception area −10 dBm 4 ns −20 dBm 3 ns −30 dBm 2 ns Publication −40dBm 1 ns −20 dBm 3 ns −20 dBm 3 ns room Storage room −30 dBm 2 ns −10dBm 4 ns −20 dBm 3 ns Server room −20 dBm 3 ns −30 dBm 2 ns −10 dBm 4 ns

The Calibration Table shows exemplary calibration data including theRSSI data and the DTOA data as recorded by each AP 10-30 for fourdifferent landmarks within the WLAN 100. In particular, each AP 10-30obtains different data readings because of the different distancebetween each AP 10-30 and the MU 4. The calibration process ispreferably repeated a few times in order to obtain accurate calibrationdata.

In step 132, the APs 10-30 may record and analyze the beacon signals inorder to generate the RSSI data. That RSSI data may be then transmittedto the server 70 for further analysis (step 140). Alternatively, theRSSI data may be stored by the corresponding AP and periodicallyretrieved by the server 70 or automatically forwarded to the server 70.The system for handling communication of this RSSI data may beimplemented with the common simple network management protocol (“SNMP”)or a similar protocol.

In order to determine the location of the rogue AP 60 using the RSSIdata, preferably, at least three reference points (i.e., APs 10-30) areused. Three reference points (e.g., APs 10-30) represent a minimumnumber of locations inside a three-dimensional space (i.e., a buildingwhere the WLAN 100 is located) that would be required to calculate theposition of a fourth point (i.e., rogue AP 60). Since the rogue AP 60continually transmits beacon signals, the APs 10-30 may continuallyreceive and compile corresponding RSSI data. There is only one point inthis three-dimensional space that correlates to all three RSSI datapoints collected from the rouge AP 60 by the AP 10-30.

It is also possible to use DTOA data to determine the location of therogue AP 60 by triangulating the distance between the rogue AP 60 andthree points of references: the APs 10-30. In addition, or inalternative, the location may determine using the DTOA data along withthe calibration data. In step 130, the APs 10-30, either alone or incombination with RSSI data collection, generate DTOA data. The DTOA datamay be generated by processing the received beacon signals from therogue AP 60 and measuring the time that it takes for those beacon signalto arrive at the corresponding APs 10-30. To determine the location ofthe rogue AP 60 using the DTOA data, at least three reference points arenecessary (e.g., APs 10-30).

In step 150, the server 70 analyzes the RSSI and/or DTOA data receivedfrom the APs 10-30 and compares to the RSSI data and/or the DTOA datagenerated during the calibration procedure. The RSSI data and/or DTOAdata allow the server 70 to determine the distances between the rogue AP60 and the corresponding APs 10-30. For example, if the AP 20 records astronger signal strength value than the AP 30, it may be that the AP 60is located closer to the AP 20. This determination may be made withadditional precision if either or both the AP 20 and the AP 30 usedirectional antennas.

The RSSI data and/or DTOA data provide the server 70 with sufficientdistance data to determine the location of the rogue AP 60 within theWLAN 100. In other words, since the server 70 has the distance databetween each AP 10-30 and the rogue AP 60 obtained from the RSSI and/orDTOA data, it can calculate the location of the rogue AP 60 relative tothose APs 10-30. One exemplary method for determining the location ofthe rogue AP 60 is as follows. First, the location of the rogue AP 60 isdetermined using the RSSI data and the calibration data. Then, thelocation of the rogue AP 60 is further pinpointed by triangulating withthe DTOA data.

The server 70 may then display the results of the calculation on a mapof the WLAN 100, e.g. FIG. 1, and overlay the APs 10-30 on the map,since the location of the APs 10-30 is known. The map of the WLAN 100may be used in conjunction with a physical map of the organization'sbuilding (e.g., an architectural blueprint).

The present invention has been described with reference to an embodimenthaving the WLAN 100 with the APs 10-30, the single rogue AP 60, the oneauthorized MU 1, and the server 70. One skilled in the art wouldunderstand that the present invention may also be successfullyimplemented, for example, for a plurality of rogue APs, a plurality ofAPs in a WLAN, etc. Accordingly, various modifications and changes maybe made to the embodiments without departing from the broadest spiritand scope of the present invention as set forth in the claims thatfollow. The specification and drawings are accordingly to be regarded inan illustrative rather than restrictive sense.

1. A method for determining a location of an unauthorized wirelessaccess point (“AP”) in a communications network, comprising: generatinga tracking data record which includes a location of each of at leastthree authorized wireless devices and strength data corresponding to astrength of signals of the unauthorized AP as measured by each of the atleast three authorized wireless devices; and determining the location ofthe unauthorized AP as a function of the tracking data record.
 2. Themethod according to claim 1, further comprising: upon receivingnotification of an existence of the unauthorized AP in thecommunications network, selecting the at least three authorized wirelessdevices from a plurality of authorized wireless devices to track thesignals of the unauthorized AP.
 3. The method according to claim 1,wherein the tracking data record further includes time datacorresponding to time periods that it takes for the signals to arrive ateach of the at least three authorized wireless devices.
 4. The methodaccording to claim 3, wherein the determining step includes thefollowing substep: determining the location of the unauthorized AP as afunction of a calibrating record, the calibrating record including (a)at least one of (i) second strength data corresponding to a strength ofa calibrating signal as transmitted from a predetermined location withinthe communications network and received by each of the at least threeauthorized wireless devices and (ii) second time data corresponding to atime period that it takes for the calibrating signal to arrive at eachof the at least three authorized wireless devices from the predeterminedlocation, (b) the predetermined location and (c) the location of each ofthe at least three authorized wireless devices.
 5. The method accordingto claim 1, wherein each of the at least three authorized wirelessdevices is one of an access point and a wireless mobile device.
 6. Themethod according to claim 4, wherein the determining step includes thesubstep of calculating the location of the unauthorized AP as a functionof the strength data and the second strength data.
 7. The methodaccording to claim 4, wherein the determining step includes at least oneof (i) the substep of triangulating the location of the unauthorized APusing the time data and (ii) the substep of calculating the location ofthe unauthorized AP as a function of the time data and the second timedata.
 8. The method according to claim 4, further comprising: before thedetermining step, performing a calibration procedure including thefollowing substeps: placing a calibrating device at a plurality ofpredetermined locations within the communication network, tracking acalibration signal from the calibrating device using each of the atleast three authorized wireless devices, and generating a calibrationrecord based on data generated in the tracking substep.
 9. A system fordetermining a location of an unauthorized wireless access point (“AP”)accessing a communications network, comprising: at least threeauthorized wireless devices; and a computing arrangement generating atracking data record which includes a location of each of the at leastthree authorized wireless devices and strength data corresponding tostrengths of signals of the unauthorized AP as measured by each of theat least three authorized wireless devices, wherein the computingarrangement determines the location of the unauthorized AP as a functionof the tracking record.
 10. The system according to claim 9, wherein,upon notification of existence of the unauthorized AP, the computingarrangement selects the at least three authorized wireless devices froma group of authorized wireless devices to track the signals of theunauthorized AP.
 11. The system according to claim 9, wherein thetracking data record further includes time data corresponding to timeperiods that it takes for the signals to arrive at each of the at leastthree authorized wireless devices.
 12. The system according to claim 11,wherein the computing arrangement further utilizes a calibrating datarecord to determine the location of the unauthorized AP, the calibratingrecord including (a) at least one of (i) second strength datacorresponding to a strength of a calibrating signal as transmitted froma predetermined location within the communications network and receivedby each of the at least three wireless devices and (ii) second time datacorresponding to a time period that it takes for the calibrating signalto arrive at each of the at least three authorized wireless devices, (b)the predetermined location and (c) the location of each of the at leastthree authorized wireless devices.
 13. The system according to claim 12,wherein the computing arrangement calculates the location of theunauthorized AP as a function of the strength data and the secondstrength data.
 14. The system according to claim 12, wherein thecomputing arrangement performs at least one of (i) triangulating thelocation of the unauthorized AP using the time data and (ii) calculatingthe location of the unauthorized AP as a function of the time data andthe second time data.
 15. The system according to claim 9, wherein eachof the at least three authorized wireless devices is one of an AP and awireless mobile device.
 16. A computing device for determining alocation of an unauthorized wireless access point (“AP”) accessing acommunications network, comprising: a communication arrangementcommunicating with at least three authorized wireless devices in thecommunications network; and a processor determining the location of theunauthorized AP as a function of a tracking data record, wherein thetracking data record includes a location of each of the at least threeauthorized wireless devices and strength data corresponding to strengthsof signals transmitted by the unauthorized AP as measured by each of theat least three authorized wireless devices.
 17. The computing deviceaccording to claim 16, wherein, upon receiving notification of anexistence of the unauthorized AP, the processor selects the at leastthree authorized wireless devices from a group of authorized wirelessdevices to track the signals from the unauthorized AP.
 18. The computingdevice according to claim 16, wherein the data record further includes atime data corresponding to time periods that it takes for the signals toarrive at each of the at least three authorized wireless devices. 19.The computing device according to claim 18, further comprising: a memoryarrangement storing a calibrating data record, wherein the calibratingrecord includes (a) at least one of (i) second strength datacorresponding to a strength of a calibrating signal as transmitted froma predetermined location within the communications network and receivedby each of the at least three authorized wireless devices and (ii)second time data corresponding to a time period that it takes for thecalibrating signal to arrive at each of the at least three authorizedwireless devices,(b) the predetermined location and (c) the location ofeach of the at least three authorized wireless devices, and wherein theprocessor determines the location of the unauthorized AP as a functionof the calibration record and the tracking record.
 20. A device,comprising: a communication means for communicating with at least threeauthorized wireless devices in a communications network; and aprocessing means for determining a location of an unauthorized AP in thecommunications network as a function of a tracking data record, whereinthe tracking data record is generated by the at least three authorizedwireless devices during tracking of signals of the unauthorized AP, thetracking data record including a location of each of the at least threeauthorized wireless devices and strength data corresponding to astrength of the signals transmitted by the unauthorized AP as measuredby each of the at least three authorized wireless devices.